Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
5
Replies

FTD 3110 - Change management ip without console access

JessF
Level 1
Level 1

‎09-25-2023 05:36 AM

Hi folks,

I hope someone can help me. I need to change the ip addresses on management interfaces of two FTDs, but I do not have access via console.
I already tried to configure ssh access via one of the data interfaces but I can't get it working. Is there any other way?


Thanks in advance!

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-25-2023 05:51 AM

Do you have access via the current management interface? If so, just use the "configure network..." command.

0 Helpful

JessF
Level 1
Level 1
In response to Marvin Rhoads

‎09-25-2023 06:04 AM

Hi Marvin,

yes, I can access the FTD via the current management interface. Just wanted to make sure that I don't lose access at all. The devices are already located in the data center and it would be very inconvenient if someone would have to go there.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JessF

‎09-25-2023 06:20 AM

If you're just changing addresses within the current subnet then it's a pretty low risk change. Changing subnets is a bit bigger deal since the gateway and, presumably, connections on the downstream device, would also have to change.

ssh via a data interface is only possible if you change that interface to also have the management role. Reference: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/get-started-device-management.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

0 Helpful

Aref Alsouqi
VIP
VIP

‎09-25-2023 06:23 AM

I think even if you enable management over a regular data interface, the actual management traffic would still need to go all the way down to the management interface. In fact, in that case the gateway of the management interface would be the data interface IP, otherwise, the remote SSH connection won't work. Imo enabling management on a data interface and enabling SSH would add complexity to what you are trying to do. I think it would be enough to double check that the new IP address of the management interface is routable up to its default gateway, added to any encryption domains and ACLs, and you would be safe to use the "configure network ..." command via SSH to the existing management IP.

0 Helpful

JessF
Level 1
Level 1

‎10-04-2023 05:07 AM

We tried to change the ip via "configure network..." and it did not work. We lost access to the FTD and had to go to the data center. It was NOT a routing or ACL issue. When we checked the configuration we found that the FTD still had the old ip address.

Any ideas on that?

We still have to change the management ip of the second FTD (that is located in a different data center) and it would be great if this would work better.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card